Support deployment behind nginx reverse proxy

italiangrid · Oct 17, 2024 · 192d32f · 192d32f
1 parent 2fa53c1
commit 192d32f
Show file tree

Hide file tree

Showing 11 changed files with 214 additions and 3 deletions.
diff --git a/data/webdav-defaults.yaml b/data/webdav-defaults.yaml
@@ -41,4 +41,5 @@ storm::webdav::file_buffer_size: 1048576
 storm::webdav::voms_trust_store_dir: '/etc/grid-security/vomsdir'
 storm::webdav::voms_trust_store_refresh_interval_sec: 43200
 storm::webdav::voms_cache_enabled: true
-storm::webdav::voms_cache_entry_lifetime_sec: 300
+storm::webdav::voms_cache_entry_lifetime_sec: 300
+storm::webdav::nginx_reverse_proxy: false
diff --git a/files/etc/storm/nginx/nginx.conf b/files/etc/storm/nginx/nginx.conf
@@ -0,0 +1,33 @@
+user storm storm;
+worker_processes auto;
+
+error_log /var/log/nginx/error.log debug;
+
+load_module /usr/lib64/nginx/modules/ngx_http_voms_module.so;
+
+events {
+	worker_connections 1024;
+}
+
+http {
+	include      mime.types;
+	default_type  application/octet-stream;
+
+	resolver 127.0.0.11 ipv6=off;
+
+	log_format storm '$time_iso8601 [$request_id] $remote_addr - $remote_user "$request" <$upstream_response_time> '
+		'$ssl_protocol/$ssl_cipher '
+		'"$ssl_client_s_dn" '
+		'"$ssl_client_ee_s_dn" '
+		'$status $body_bytes_sent "$http_referer" '
+		'"$http_user_agent" "$http_x_forwarded_for"';
+
+	access_log /var/log/nginx/access.log storm;
+
+	sendfile        on;
+	#tcp_nopush     on;
+
+	keepalive_timeout  65;
+
+	include /etc/nginx/conf.d/*.conf;
+}
diff --git a/manifests/webdav.pp b/manifests/webdav.pp
@@ -193,6 +193,8 @@
 
   String $tape_wellknown_source,
 
+  Boolean $nginx_reverse_proxy,
+
 ) {
   contain storm::webdav::install
   contain storm::webdav::config

diff --git a/manifests/webdav/config.pp b/manifests/webdav/config.pp
@@ -83,6 +83,23 @@
     notice('Empty storage area list. No storage area has been defined and initialized.')
   }
 
+  if $storm::webdav::nginx_reverse_proxy {
+    file { '/etc/nginx/nginx.conf' :
+      ensure   => file,
+      owner    => 'storm',
+      group    => 'storm',
+      mode     => '0644',
+      source   => "puppet:///modules/storm/etc/storm/nginx/nginx.conf",
+    }
+    file { '/etc/nginx/conf.d/storm.location' :
+      ensure   => file,
+      content  => template('storm/etc/nginx/storm.location.erb'),
+      owner    => 'storm',
+      group    => 'storm',
+      mode     => '0644',
+    }
+  }
+
   # Directory '/etc/systemd/system/storm-webdav.service.d' is created by rpm
   $service_dir='/etc/systemd/system/storm-webdav.service.d'
 

diff --git a/manifests/webdav/install.pp b/manifests/webdav/install.pp
@@ -6,4 +6,37 @@
   package { 'storm-webdav':
     ensure  => '>=1.4.2',
   }
+  if $storm::webdav::nginx_reverse_proxy {
+    $el = $facts['os']['distro']['release']['major']
+    yumrepo { 'nginx-stable-repo':
+      ensure   => present,
+      descr    => 'nginx stable repo',
+      enabled  => 1,
+      gpgcheck => 1,
+      baseurl  => "http://nginx.org/packages/centos/${el}/x86_64/",
+      gpgkey   => 'https://nginx.org/keys/nginx_signing.key',
+    }
+    package { 'nginx':
+      ensure  => 'installed',
+      require => Yumrepo['nginx-stable-repo'],
+    }
+    yumrepo { 'voms':
+      ensure   => present,
+      descr    => 'VOMS stable repo',
+      baseurl  => "https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/centos${el}/",
+      enabled  => 1,
+      gpgcheck => 0,
+    }
+    yumrepo { 'storage-generic':
+      ensure   => present,
+      descr    => 'Storage Generic repo managed by Puppet',
+      baseurl  => 'http://os-server.cnaf.infn.it/distro/Storage/generic/',
+      enabled  => 1,
+      gpgcheck => 0,
+    }
+    package { 'nginx-module-http-voms':
+      ensure  => 'installed',
+      require => Yumrepo['storage-generic'],
+    }
+  }
 }
diff --git a/manifests/webdav/service.pp b/manifests/webdav/service.pp
@@ -5,4 +5,10 @@
     ensure => running,
     enable => true,
   }
+  if $storm::webdav::nginx_reverse_proxy {
+    service { 'nginx':
+      ensure => running,
+      enable => true,
+    }
+  }
 }
diff --git a/spec/classes/storm/storm_webdav_install_spec.rb b/spec/classes/storm/storm_webdav_install_spec.rb
@@ -3,6 +3,13 @@
 describe 'storm::webdav::install' do
   on_supported_os.each do |os, facts|
     context "on #{os}" do
+      let(:pre_condition) do
+        <<-EOF
+          class { 'storm::webdav':
+            nginx_reverse_proxy => false,
+          }
+        EOF
+      end
       let(:facts) do
         facts
       end

diff --git a/spec/classes/storm/storm_webdav_service_spec.rb b/spec/classes/storm/storm_webdav_service_spec.rb
@@ -5,6 +5,11 @@
     context "on #{os}" do
       let(:pre_condition) do
         'include storm::webdav::install'
+        <<-EOF
+          class { 'storm::webdav':
+            nginx_reverse_proxy => false,
+          }
+        EOF
       end
 
       let(:facts) do

diff --git a/spec/classes/storm/storm_webdav_spec.rb b/spec/classes/storm/storm_webdav_spec.rb
@@ -68,6 +68,8 @@
             'voms_trust_store_refresh_interval_sec' => 43201,
             'voms_cache_enabled' => false,
             'voms_cache_entry_lifetime_sec' => 301,
+
+            'nginx_reverse_proxy' => false,
           }
         end
 
@@ -302,6 +304,72 @@
           )
         end
       end
+
+      context 'Check deployment behind nginx reverse proxy' do
+        let(:params) do
+          {
+            'http_port' => 8080,
+            'nginx_reverse_proxy' => true,
+          }
+        end
+
+        case facts[:operatingsystemmajrelease]
+        when '7'
+          it 'nginx-stable-repo is installed and enabled' do
+            is_expected.to contain_yumrepo('nginx-stable-repo').with(
+              ensure: 'present',
+              baseurl: 'http://nginx.org/packages/centos/7/x86_64/',
+              enabled: 1,
+              gpgcheck: 1,
+            )
+          end
+          it 'voms is installed and enabled' do
+            is_expected.to contain_yumrepo('voms').with(
+              ensure: 'present',
+              baseurl: 'https://repo.cloud.cnaf.infn.it/repository/voms-rpm-stable/centos7/',
+              enabled: 1,
+              gpgcheck: 0,
+            )
+          end
+          it 'storage-generic is installed and enabled' do
+            is_expected.to contain_yumrepo('storage-generic').with(
+              ensure: 'present',
+              baseurl: 'http://os-server.cnaf.infn.it/distro/Storage/generic/',
+              enabled: 1,
+              gpgcheck: 0,
+            )
+          end
+        end
+        it 'check sysconfig file' do
+          service_file = '/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf'
+          is_expected.to contain_file(service_file).with(
+            ensure: 'file',
+          )
+          is_expected.to contain_file(service_file).with(content: %r{Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=true"})
+        end
+        it 'check nginx configuration files' do
+          nginx_conf_file = '/etc/nginx/nginx.conf'
+          is_expected.to contain_file(nginx_conf_file).with(
+            ensure: 'file',
+          )
+          nginx_storm_location_file = '/etc/nginx/conf.d/storm.location'
+          is_expected.to contain_file(nginx_storm_location_file).with(
+            ensure: 'file',
+          )
+          is_expected.to contain_file(nginx_storm_location_file).with(content: %r{location /internal-get})
+        end
+        it 'check nginx rpm is installed' do
+          is_expected.to contain_package('nginx')
+        end
+        it 'check nginx-module-http-voms rpm is installed' do
+          is_expected.to contain_package('nginx-module-http-voms')
+        end
+        it { is_expected.to contain_service('nginx').with(ensure: 'running') }
+        it 'check environment file' do
+          service_file = '/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf'
+          is_expected.to contain_file(service_file).with(content: %r{Environment="STORM_WEBDAV_HTTP_PORT=8081"})
+        end
+      end
     end
   end
 end
diff --git a/templates/etc/nginx/storm.location.erb b/templates/etc/nginx/storm.location.erb
@@ -0,0 +1,35 @@
+server {
+	location /internal-get {
+		internal;
+		alias /;
+		sendfile on;
+		tcp_nopush on;
+		keepalive_timeout 65;
+		tcp_nodelay on;
+	}
+	location / {
+		proxy_pass http://127.0.0.1:<%=scope['storm::webdav::http_port'] + 1%>;
+		proxy_set_header X-VOMS-voms_user $voms_user;
+		proxy_set_header X-VOMS-ssl_client_ee_s_dn $ssl_client_ee_s_dn;
+		proxy_set_header X-VOMS-voms_user_ca $voms_user_ca;
+		proxy_set_header X-VOMS-ssl_client_ee_i_dn $ssl_client_ee_i_dn;
+		proxy_set_header X-VOMS-voms_fqans $voms_fqans;
+		proxy_set_header X-VOMS-voms_server $voms_server;
+		proxy_set_header X-VOMS-voms_server_ca $voms_server_ca;
+		proxy_set_header X-VOMS-voms_vo $voms_vo;
+		proxy_set_header X-VOMS-voms_server_uri $voms_server_uri;
+		proxy_set_header X-VOMS-voms_not_before $voms_not_before;
+		proxy_set_header X-VOMS-voms_not_after $voms_not_after;
+		proxy_set_header X-VOMS-voms_generic_attributes $voms_generic_attributes;
+		proxy_set_header X-VOMS-voms_serial $voms_serial;
+	}
+	listen [::]:<%=scope['storm::webdav::https_port']%> ssl http2;
+	listen <%=scope['storm::webdav::https_port']%> ssl http2;
+	ssl_certificate /etc/grid-security/hostcert.pem;
+	ssl_certificate_key /etc/grid-security/hostkey.pem;
+	ssl_client_certificate /etc/pki/ca-trust/extracted/pem/tls-ca-bundle-all.pem;
+	ssl_verify_client optional;
+	ssl_verify_depth 10;
+	client_max_body_size 0;
+	error_page 497 https://$host:<%=scope['storm::webdav::https_port']%>$request_uri;
+}
diff --git a/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb b/templates/etc/systemd/system/storm-webdav.service.d/storm-webdav.conf.erb
@@ -27,7 +27,7 @@ Environment="STORM_WEBDAV_HOSTNAME_<%= idx %>=<%= hostname %>"
 Environment="STORM_WEBDAV_HTTPS_PORT=<%=scope.lookupvar('storm::webdav::https_port')%>"
 
 # HTTP connector port
-Environment="STORM_WEBDAV_HTTP_PORT=<%=scope.lookupvar('storm::webdav::http_port')%>"
+Environment="STORM_WEBDAV_HTTP_PORT=<%=scope.lookupvar('storm::webdav::http_port') + (scope.lookupvar('storm::webdav::nginx_reverse_proxy') ? 1 : 0)%>"
 
 # Path to the service certificate.
 Environment="STORM_WEBDAV_CERTIFICATE_PATH=/etc/grid-security/storm-webdav/hostcert.pem"
@@ -176,4 +176,8 @@ Environment="STORM_WEBDAV_VOMS_CACHE_ENABLE=<%=scope.lookupvar('storm::webdav::v
 
 # Cache entries lifetime, used if caching for VOMS certificate validation is enabled
 # Default: 300
-Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=<%=scope.lookupvar('storm::webdav::voms_cache_entry_lifetime_sec')%>"
+Environment="STORM_WEBDAV_VOMS_CACHE_ENTRY_LIFETIME_SEC=<%=scope.lookupvar('storm::webdav::voms_cache_entry_lifetime_sec')%>"
+
+# Use nginx as a reverse proxy
+# Default: false
+Environment="STORM_WEBDAV_NGINX_REVERSE_PROXY=<%=scope.lookupvar('storm::webdav::nginx_reverse_proxy')%>"